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(57)Abstract: 

PURPOSE: To enable a mobile station to be shared and to prevent 
illegal use by specifying a authentication confirmation signal and a 
authentication reply signal of a mobile set and a subscriber with a 
random number and a secret key and starting the operation when 
both the signals are coincident 

CONSTITUTION: A random number generating circuit 31 generates 
at first a random number R for an authentication request in a base 
station and transmits the number to a mobile station. A mobile set 
30 enters the random number R and secret keys Ks, Kp of the 
mobile set and subscriber to a signal conversion circuit 33 to obtain 
an authentication reply and a communication ciphering key Ke1 and 
transmits the authentication reply to the base station. The base 
station inputs the random number R and secret keys Ks, Kp to a 
signal conversion circuit 32 to obtain an authentication reply and a 
communication ciphering key Ke2. A comparator circuit 34 
compares a bit pattern of the authentication reply received from the 
mobile station with a bit pattern of the authentication reply 
generated in the base station, and enables the authentication of the 
mobile set when they are coincident and disables the recognition in 
other cases. That is, then the authentication of the mobile set and 
the subscriber authentication are implemented simultaneously by 
one authentication procedure to share the mobile station by plural 
subscribers without degradation in the throughput. 
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* NOTICES * 

JPO and NClPi are not responsible for any 
damages caused by the use of this translation. 

1 .This document has been translated by computer. So the translation may not reflect the original precisely. 
2.**** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



CLAIMS 



[Ciaim(s)] 

[Claim 1] In the authentication approach in the digital mobile communication forjudging whether in performing 
mobile communication between the migration machine by the side of a mobile station, and a base station, a 
communications partner is attested and a communication link is started Said mobile station creates a migration 
machine authentication reply signal according to the 1st specific principle with the predetermined random number 
sent from said base station, and the 1st private key of the migration machine proper currently held beforehand, and 
transmits it to this base station. According to the 2nd specific principle, create a subscriber authentication reply 
signal with this random number and the 2nd private key of the subscriber proper from a subscriber, and it transmits 
to this base station. The communication link secrecy key which keeps a communication link secret according to the 
3rd specific principle with this random number and these 1st and 2nd private keys is created. Said base station With 
this predetermined random number generated in this base station, and said 1st and 2nd private keys currently held 
beforehand According to the said 1st, 2nd, and 3rd specific principles, a migration machine authentication 
acknowledge signal, a subscriber authentication acknowledge signal, and a communication link secrecy key are 
created. The authentication approach in the digital mobile communication characterized by performing delivery by 
said random number of this communication link secrecy key while comparing whether said migration machine 
authentication reply signal, this migration machine authentication acknowledge signal, and said subscriber 
authentication reply signal and this subscriber authentication acknowledge signal are in agreement and attesting said 
communications partner. 

[Claim 2] The authentication approach in the digital mobile communication according to claim 1 characterized by 
replacing said a part of 2nd private key in said mobile station by said subscriber's recitation number. 



[Translation done.] 
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* NOTICES * 

JPO and NCI PI are not responsible for any 
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3.1n the drawings, any words are not translated. 

DETAILED DESCRIPTION 

[Detailed Description of the Invention] 
[0001] 

[Industrial Application] This invention relates to the authentication approach in the digital mobile communication 
with which the base station in digital mobile communication attests that it is a mobile station with a communicative 
partner's just mobile station. 
[0002] 

[Description of the Prior Art] Protection of the security in the wireless section is strongly desired as the increment 
in mobile communication need and a demand of diversification of service increase in recent years. Generally, by 
mobile communication, a mobile station and a base station cannot judge the justification of the mobile station which 
communicates in a subscriber's accomodated location, in order that connection may change for every 
communication link. Therefore, while the authentication function for checking the justification of a mobile station is 
required, the authentication function of the subscriber who communicates is required of personal-communications 
number (PTN) service. Moreover, since a communication link is used for a wireless circuit, the secrecy function 
which the content of a communication link may be monitored and enciphers the content of a communication link for 
the security protection of the content of a communication link is required. 

[0003] Here, drawing for explaining the conventional authentication approach to drawing 4 (A) and (B) is shown. 
Drawing 4 (A) and (B) show the delivery approach of the authentication in a ** yaw ROPPA automobile telephone 
system, and a communication link secrecy key. In drawing 4 (A), a fixed network side transmits a random number 
RAND (authentication demand signal) to a mobile station first A mobile station is the key Ks of the authentication 
currently beforehand held in the mobile station in encryption circuit 51a according to algorithm A3, such as DES 
(Data Encryption Standard). SRES (authentication reply signal) is computed from a random number RAND, and it 
transmits to a fixed network side. 

[0004] Key Ks of the authentication currently beforehand held by the fixed network side on the other hand at the 
random-number RAND and fixed network side In encryption circuit 51b (it is the same as encryption circuit 51a), 
SRES is computed according to algorithm A3. And in a comparison circuit 52, SRES computed by the fixed network 
side is compared with SRES transmitted from the mobile station, if it is coincidence (yes), a communication link will 
be started, and if it is an inequality (no), communicating will become impossible. That is, the justification of SRES 
which received by the fixed network side is checked, and a mobile station is attested. 

[0005] Moreover, drawing 4 (B) shows the delivery approach of a communication link secrecy key, and delivery of a 
communication link secrecy key is performed to authentication and coincidence of drawing 4 (A). Setting to drawing 
4 (B), a fixed network side is a random number RAND and the key Ks of authentication. The communication link 
secrecy key Ke is computed according to the algorithm A8 of encryption circuit 55b, and it stores in the storage 
section 56. On the other hand, it is the communication link secrecy key Ke by the side of a fixed network. It does 
not carry out transmitting to a mobile station as it is, but it transmits indirectly using a random-number RAND 
signal. Key Ks of a random number RAND and authentication in ******** and a mobile station The algorithm A8 of 
encryption circuit 55a is followed, and it is the communication link secrecy key Ke. It computes and stores in the 
storage section 57. 

[0006] Thus, the encryption circuits 51a and 51b, algorithm A3 of 55a and 55b, and A8 By making it encryption 
algorithm, it is possible to prevent a third party's tapping and the activity of an unjust mobile station, and it can 
realize enciphering and delivering the secrecy key for keeping the communication link after authentication secret to 
authentication and coincidence. 
[0007] 

[Problem(s) to be Solved by the Invention] However, key Ks of authentication by the above-mentioned approach 
Since only one kind of authentication to depend is performed, the migration machine and subscriber by the side of a 
mobile station cannot be distinguished, for example, one set of a migration machine cannot be shared by two or 
more subscribers. However, although it was possible to have performed subscriber authentication and migration 
machine authentication independently by repeating the same procedure twice, since the amount of signals which 
carries out a radio transmission doubled and a throughput fell, there was a problem that the number of subscribers 
which can be held will become fewer. Moreover, key Ks of authentication Since it was held at the migration inside of 
a plane, when the body of a migration machine was stolen, there was a problem that an unjust activity was attained. 
[0008] Then, while this invention was made in view of the above-mentioned technical problem, can prevent lowering 
of the throughput of wireless and can share one set of a mobile station by two or more subscribers, it aims at 
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offering the authentication approach in the digital mobile communication which prevents the unjust activity by the 

theft. 

[0009] 

[Means for Solving the Problem] In the authentication approach in the digital mobile communication for judging 
whether in performing mobile communication between the migration machine by the side of a mobile station, and a 
base station, the above-mentioned technical problem attests a communications partner, and starts a communication 
link Said mobile station creates a migration machine authentication reply signal according to the 1st specific 
principle with the predetermined random number sent from said base station, and the 1st private key of the 
migration machine proper currently held beforehand, and transmits it to this base station. According to the 2nd 
specific principle, create a subscriber authentication reply signal with this random number and the 2nd private key of 
the subscriber proper from a subscriber, and it transmits to this base station. The communication link secrecy key 
which keeps a communication link secret according to the 3rd specific principle with this random number and these 
1st and 2nd private keys is created. Said base station With this predetermined random number generated in this 
base station, and said 1st and 2nd private keys currently held beforehand According to the said 1st, 2nd, and 3rd 
specific principles, a migration machine authentication acknowledge signal, a subscriber authentication acknowledge 
signal, and a communication link secrecy key are created. White comparing whether said migration machine 
authentication reply signal, this migration machine authentication acknowledge signal, and said subscriber 
authentication reply signal and this subscriber authentication acknowledge signal are in agreement and attesting said 
communications partner It is solved performing delivery by said random number of this communication link secrecy 
key, or by replacing said a part of 2nd private key in said mobile station by said subscriber's recitation number. 
[0010] 

[Function] As mentioned above, a migration machine authentication reply signal and a subscriber authentication 
reply signal are created for a predetermined random number from a base station with these random number and 1st 
and 2nd private keys with delivery and a mobile station to a mobile station. On the other hand, in a base station, a 
migration machine authentication acknowledge signal and a subscriber authentication acknowledge signal are 
created with this random number and the 1st and 2nd private keys currently held beforehand. And a communication 
link is started, when a reply signal and an acknowledge signal concerned are compared and it is in agreement in a 
base station. 

[0011] That is, it becomes possible by performing migration machine authentication and subscriber authentication 
simultaneously in an authentication procedure once to share one set of a migration machine by two or more 
subscribers, without reducing the throughput of wireless. Moreover, by transposing a part of 2nd private key to a 
subscriber's recitation number, when the body of a migration machine is stolen, it becomes possible to prevent an 
unjust activity. 

[0012] Moreover, a mobile station and a base station create a communication link secrecy key with a random 
number and the 1st and 2nd private keys. That is, when an above-mentioned reply signal and an above-mentioned 
acknowledge signal are in agreement it means that the communication link secrecy key in both a mobile station and 
a base station was shared correctly. Therefore, it becomes possible to perform simultaneously migration machine 
authentication, subscriber authentication, and delivery of a communication link secrecy key. 
[0013] 

[Example] The block diagram of one example of this invention is shown in drawing 1 . Among drawing 1 , in a 
migration machine [ in / in 30 / a mobile station ], and 31, the signal transformation circuit of a base station and 33 
carry out the signal transformation circuit of a mobile station, and,- as for 34, the random-number-generation circuit 
of a base station and 32 are carrying out the table of the comparison circuit of a base station, respectively. The 
signal transformation circuits 32 and 33 are the same functional secrecy and Key Kp. It shares. A subscriber's 
private key Kp For example, it being recorded on an IC card etc. and inserting in the migration machine 30 at the 
time of an activity etc. is the gestalt which the migration machine 30 and the subscriber separated. 
[0014] A base station is the random-number-generation circuit 31 first, generates the random number Ft for an 
authentication demand, and transmits it to a mobile station. The bit length of the viewpoint of code reinforcement to 
the random number R has desirable about 64 bits or more. 

[0015] The migration machine 30 is the received private key Ks of a random number R and a migration machine. A 
subscriber's private key Kp read from the subscriber card It inputs into the signal transformation circuit 33, and the 
authentication responses Rs1 and Rp1 and the communication link secrecy key Ke1 are obtained. This 
communication link secrecy key Ke2 is used as a communication link secrecy key for keeping future communication 
links secret. And the authentication responses Rs1 and Rp1 are transmitted to a base station. 
[0016] A base station is the random number R and private key Ks which were generated in the random-number- 
generation circuit 31. And Kp It inputs into the signal transformation circuit 32, and the authentication response Rs2, 
Rp2, and the communication link secrecy key Ke2 are obtained. The communication link secrecy key Ke2 is used as 
.a communication link secrecy key for keeping future communication links secret. A comparison circuit 34 inputs the 
authentication responses Rs1 and Rp1 received from the mobile station, and the signals Rs2 and Rp2 generated in 
the base station, and compares each bit pattern (array of a bit string). When Rs1 and Rs2 are equal, it considers as 
the migration machine authentication O.K., and when other, it considers as the migration machine authentication NG. 
Moreover, when Rp1 and Rp2 are equal, it considers as the subscriber authentication O.K., and when other, it 
considers as the subscriber authentication NG. It is the private key Ks of a mobile station and a base station that 
each bit pattern is in agreement. And Kp The same thing (therefore, a communicative partners mobile station is a 
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just mobile station) is meant, and what (therefore, the communication link secrecy key was shared correctly) the 
authentication demand and the authentication response were mistaken and was transmitted that there is nothing is 
guaranteed by the high probability (reliability becomes so high that R and the number of bits of Rs1 and Rpl are 
made [ many ]). 

[0017] In addition, private key Kp of the subscriber of a mobile station A part is recorded on the nonvolatile memory 
in the migration machine 30, and a subscriber memorizes the remainder as a personal identification number, and 
when starting a communication link, it may be inputted into the migration machine 30 with a ten key etc. Moreover, 
you may be the case where the result obtained by a certain specific operation of a persona! identification number 
and the number on memory is used as a private key. An unjust activity becomes impossible, if according to this a 
personal identification number is not known even if the migration machine 30 is stolen. 

[0018] Next, the block diagram of one example of the signal transformation circuit in the migration machine of 
drawing 1 is shown in drawing 2 . Among the signal transformation circuit 33 of drawing 2 , in the 1st encryption 
circuit and 42, the 2nd encryption circuit and 43 express the 3rd code circuit, and 44 expresses [ 41 ] the 
multiplexing circuit, respectively. In addition, also in the signal transformation circuit 33 of a base station, it is the 
same configuration except for the multiplexing circuit 44. moreover, the 1- the same circuitry is sufficient as the 3rd 
encryption circuit 

[0019] The 1st encryption circuit 41 is a subscriber's private key Kp. It uses, the random number R for an 
authentication demand received from the base station is enciphered by 32 bits according to the 2nd specific 
principle, and the authentication response Rpl is outputted. The 2nd code circuit 42 is the private key Ks of the 
migration machine 30. It uses, a random number R is enciphered by 32 bits according to the 1st specific principle, 
and the authentication response Rs1 is outputted. The 3rd encryption circuit 43 is the private key Ks of the 
migration machine 30. It uses, the authentication response Rs1 is enciphered according to the 3rd specific principle, 
and the communication link secrecy key Kel is outputted. Moreover, the multiplexing circuit 44 multiplexes Rs1 and 
Rp1, and outputs them to a base station as one signal. In addition, the multiplexing circuit 44 may be removed and 
Rs1 and Rp1 may be transmitted as another signal. 

[0020] the 1- the code realized in the 3rd encryption circuit 41, 42, and 43 requires that circuit magnitude should be 
small and there should be few throughputs, in order to realize in the migration machine 30. such the 1- as a cipher 
system by the 3rd specific principle, private key cryptosystems, such as FEAL (Fast data Encipherment Algorithm) 
and DES, are effective. Therefore, it is actually impossible that deriving the above-mentioned code secrecy key Ke1 
intercepts the communication link after authentication since it is actual very difficult, and to create and use an 
unjust mobile station. In addition, although the point of reliability is sufficient as making it the same as an input signal 
R, as long as the number of bits of output signals Rsl and Rp1 has enough the large number of bits of an input 
signal R, it may make the number of bits of output signals Rs1 and Rp1 fewer than an input signal, and may raise the 
throughput of wireless. For example, although both the output signals Rsl and Rp1 will become 64 bits like drawing 1 
if an input signal R is made into 64 bits when adopting FEAL as a cipher system, only 32 bits of each low order are 
extracted and multiplexed, and a 64-bit authentication response is constituted and it transmits. According to this, it 
becomes much more difficult to compute a private key by intercepting. In addition, although the above-mentioned 
example was only expressed as the base station, it contains the control station of the high order of a base station, 
the exchange, a home memory station, etc. 

[0021] Next, the block diagram of other examples of this invention is shown in drawing 3 . Drawing 3 (A) is what 
showed the outline in the case of attesting among users, and drawing 3 (B) is a block diagram for making drawing 3 
(A) correspond to drawing 1 R> 1, and explaining it. In drawing 3 (A), it attests between an authentication invoking 
user (equivalent to the base station in drawing 1 ), and an attested side user (equivalent to the mobile station in 
drawing 1 ), and the cryptographic key Ki (equivalent to Kp [ in drawing 1 ] and Ks) of secrecy is shared. 
[0022] A now and authentication initiator user is Plaintext P and a cryptographic key Ki while transmitting the 
suitable plaintext P (equivalent to the random number R in drawing 1 ) to an attested side user. It uses and Code C 
(equivalent to Rs2 and Rp2 in drawing 1 ) is generated. The plaintext P which received by the attested side user on 
the other hand to cryptographic key Ki It uses, cipher C (equivalent to Rs1 and Rp1 in drawing 1 ) is generated, and 
an authentication initiator user is returned. It is Authentication O.K. if Cipher C and C are equal. 
[0023] Thus, by making Plaintext P into a different sentence (random number) for every authentication, the content 
of the authentication procedure can be changed for every call, and secrecy nature can realize the high 
authentication approach. 

[0024] Moreover, in drawing 3 (B), by the encryption machine F of encryption machine F' (equivalent to the signal 
transformation circuit 32 in drawing 1 ) of the migration exchange (authentication invoking user), and a migration 
machine.(attested user), and F" (equivalent to the signal transformation circuit 33 in drawing 1 ), in order to make 
an encryption rate quick and to make small the burden to CPU (central processing unit) of a migration machine, 
secret key cryptosystems, such as the above-mentioned FEAL and DES, are used, in addition, authentication key Ki 
it is — authentication key Kp for subscribers And authentication key Ks for migration machines It stores in a home 
memory station as some subscriber datas. 

[0025] First the migration exchange transmits random-number R (P) generated within the migration exchange to a 
migration machine, and performs an authentication demand. So, in a migration machine, the encryption result Rp and 
Rs (C in drawing 3 (A), and Rp1 and Rs1 2 in drawing 1 considerable) are obtained by the encryption machine F and 
F" using Kp which is an authentication key the object for subscribers, and for migration machines about R (P) which 
received, and Ks (Ki). It processes by taking out the authentication key Kp and Ks (Ki) from a home memory similarly 
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in the migration exchange. 

[0026] And a migration machine is this encryption result Pp and Rs to the migration exchange. It transmits as an 
authentication response. By the migration exchange, comparison collating of both encryption result is carried out, 
when a result is in agreement, it is regarded as authentication normal, and a communication link is started. In 
addition, in drawing 2 , the secrecy key Ke1 is generated from the migration private key Ks, and it is the 
authentication key Kp for subscribers at drawing 3 (B). Although the secrecy key Ke1 is generated, both may not 
necessarily be another, and whichever is satisfactory for them as long as they are unified the migration exchange 
side. 

[0027] Here, if the encryption result generated during an authentication procedure is used for a secrecy key (the 
secrecy key Ke1 of a migration machine, and secrecy key Ke2 of the migration exchange), since insurance and a 
secrecy key which could be realized efficiently and is different for every call are [ delivery of the secrecy key in a 
wireless circuit ] generabie, a secrecy pattern can be changed for every call, and high secrecy of safety can do. 
[0028] 

[Effect of the Invention] As mentioned above, according to this invention, by being able to share one set of a 
migration machine by two or more subscribers, and making some private keys into a personal identification number 
in one authentication procedure, without lowering the throughput of wireless by realizing migration machine 
authentication and subscriber authentication simultaneously, even if a migration body is stolen, an unjust activity 
can be prevented by the personal identification number. 



[Translation done.] 



JP t 05-327693 f A [DESCRIPTION OF DRAWINGS] 



1/1 ^-v 



* NOTICES * 

JPO and NCiPl are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

[Drawing 1] It is the block diagram of one example of this invention. 

[Drawing 2 } It is the block diagram of one example of signal exchange ****** in the migration machine of drawing 1 . 

[Drawing 3] It is the block diagram of other examples of this invention. 
[Drawing 4] It is drawing for explaining the conventional authentication approach. 
[Description of Notations] 

30 Migration Machine 

31 Random-Number-Generation Circuit 

32 33 Signal transformation circuit 
34 Comparison Circuit 

41 1 st Encryption Circuit 

42 2nd Encryption Circuit 

43 3rd Encryption Circuit 

44 Multiplexing Circuit 
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»»«^»»©JllA# , rftffl1-5r«h3&S"C#&K 
fc, |S|i;^li^2iiItt0iirctlC < t^ JDA^BiEt 

^KaBE^s'j^fcfToiitiJpjfiBTft^^ mmfc& 

6, !R8T€51niA#Sc^«oTb^5t^5P3lS^* 

[ 0 0 0 8] ^^T, *SI8tt±EK)ltcB^3a:^nfc 
t>©T, «l©AJl--Xy h©fiT^ES±bTl^©^ 
^©^^©JlDA^T^-rs^^XtSt*!^ 8S 
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(3) 

3 

1 1 o mu-?5& fcffiftf o - 1 £ § W t T 5 . 

[0 0 0 9] 

m 2 Oftffi » «t II «t D * 2 <Dfc£8JliJ iCtfo TJO 

iw^2 €D»a5*tt-<fc o s 3 <o»fem\\z&o rm 
ffi£8ETsas8Eft£ffrfcu tmgj&m*. 

SJESlR«S2©8ffi«tttJ:0, fiJESl, f£2& 

BEKB«^Rt«iffiasE«l&^fiEL, ifE^fittBEE 
jeSfi^iK»»«BiEttKffi^, RtfffifEJnA^BE 

js«s^«hKJjDA#BiiEaBe^*t-a-rs^53&^tt a? 

BJEaSKcfcSESfcfT^ctlzJ:^ £fca«r£»» 
Slz*5H-oi4SBS2 08ffillO-S£, fflrEMA#©if 
PE#-^TS^^ * e: £ tc £ D 2 n* . 
[0 0 10] 

KgD, »»STC©a»ih»lX«S2C!)IBffilti:IC 
£ 0^ftaBEJSSfi^R^JtaA«BiEieS«^«:^* 

roc safe^TiiKaftt^feffiit^nT^ss 
is.r;s2©a!ejfttii«tD»i(iSBfEiiBff^R^iD ^ 

A#BBE«B«-t£ff«"rs. -rtT, Si^T^S^ 
gfi^£»Bffi^<!:£tt«b-c\ -»bfc*&t;:a<i£ 

[0 0 11] -T&t)^, -£©l£lE#jtiT^Ifj*lfglEch 
JflA#BE^lRl^tfT5^ttJ:0, ?&^©X;l/-:/y 
h£ft~F2l3>5;i£fc< l^©g»a&»S0iJnA#"C 

£lfflA*©BtilS^{wtt»^5^tlzJ;D, 
[0 0 12] Sfc, #»JgfttfgJ6Ba, S&tmiR 

±a^se^xi> : »Bfi^*«-abfc*'&ictt, 

[0 0 13] 

i\ hi*. 3 o\$&mmz&tt2>&mm* 31 as* 



^p^Jji 5-327693 

4 

n^ni-Ltt^o ff*«»niB3 2 13 3HIr|i;*ie 
a 1 c*-K*icE»sn, &mm\z&mm3 otcs 

At"S*. »ft«3 0tfl]A*^»Bbfc«ffiT*5. 
[0 0 14] SiJilful^ ^ra»»4lHlB3 IT. BE 

©SjSWpS. aftRWt'y hfia6 4 hg££U:# 

[0 0 15] #ft«3 0a, gfibfca»R£, &H«K 
©iBffiftKs UnA#*-K5&^tt*ttiUfclPA#0 
KffiftKp £ffi^£»ls!B3 3 ICA^U BEJESRs 
1, RplKtEIfiffiE*Kel£»S. £©3Hi»E»Ke 
2ttKft©a<H^8ETSfc«)Oafi8E»<i:bTffi^ 
iLT, SEfcSRsl, RplSSJfeB^SHi^n 

[0016] &i&m\*s a»**!siK3 imbfca 

ftR£8SRKs &tfKp £e#£ftlalj»3 2 HA* 
U EEJ&«rRs2, Rp2M*a<IiEEftKe2£f#©. S 

ft &EitK e2 aa«©ag £»ets & coam^^ 

tUSus. tt«lHlK 3 4 tt. »ftSj&>S£*Ib;fcB 
sEJSSRsl, Rpl, R^S*HrtT**Lfc(i#Rs2 I 
Rp2£A*U -rtl^not*^ hA°^-> (fyh?0O 
E#I) £i£S"f£o Rsl£Rs2#mbH£##ft«BE 
OKtU •c-tia^©t##«i«BffiNGtTS- XR 
pliRp2d«*LUtSiUA#BlEOKtL, ^n&&© 

<t^ftiA#BffNG(i:-rs B ^nfn^H^ h/^-> 
#-&*r*£^3;:£a, »»K«hSJ6B©a.ffiitKs 

[0 0 17] ^^5, »»JS0mA#08ffi*Kp f^' — 
fflS»K«3 Ort^^FWSStt^^UtESU aottjn 
A#^l«ffi##<?:LTE*L/, affi&BBJfi-TS 

[0018] m2\z, mi(o^mmzm^m^ 

3 3*. 4 1 ttS 1 (Dflt^fblalB, 4 2 US 2 © 
Pt-^ftlHlB, 4 3 aH 3 ©^©^ ( 4 4 a#fiftilElK 

3 3lc43^T*>#fiftHK4 4S:»#rai;««Tfc^ 

^fc, Si ~^3©^b[Hl^a[Hl--C7)[B]g§S^T : b^ 

[0019] ^1 ©it^t;iHi?S4 1 a, aDA#0>«ffi« 
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Kp £$UT, Sift^SSffibtBEBSffloaSR 
*S2©#5£}4IIJI^^3 2 KTIt^bU BE* 
«Rpl£ffi*-r-S. S2©lt*IslK4 M3 0 

3 2 fc: s; hTPf-^ftU BSEJiBSRslSraiATS. S3 
COHt-^-ffclsIB 4 3 I±. Mi3 0©ifHKs £JBU 

affifKEftKel^ffl*^*. *fi*fcls]&4 4t& 

Rsl<hRpl£*fifl:U -fi-9«tLTSjfi^iCHi*1- 
3, ft*, *fift®B4 4&^b, Rsl<hRpl£#J{g^ J0 
£LT2tSLTfcJ:K 

[0 0 2 0] mi~%3<DV£mm?&4 1, 4 2M4 

5 as i - g 3 ofiFesflijuj; a pf^ft^a: t utim 

A&FEAL (Fast data EDcipherment Algorithm)-, 

hs^3fi»*^na. ta^e^Rsi, R P i©t> 

±£itTt>,3:U. *!;Lffi, PtfjatlTFEALSS 
H ICONIC, AMfR^6 4t*7hi 
-fStffi^ft^Rsl, Rplli*lc6 4 htfc*)^ 

[oo2i] &\z, 031c, ifwm%o$mm<b7u 
yzm**?* 0 3 (a) tea— tf etbe £fr *> 

0«E5^l/fcfcO^ ^3 (B) te, 0 3 (A) SB 
llc^lS^itTRIB'rsfci&coyny^BITfeS. 03 
(A) ic£^T> BEiE»^-1f (Hltcfe^SSJftg 
KfflS) (httBEffloL-— if (H l lr43tto&»Stwffl 

s> rar-BESfTpfe©^ feffi©«r#itKi (Bite 

*lj-5Kp , Ks ICfflS) So 4» 

[ 0 0 2 2] US, BEE»«a— 1fttaa&¥XP 
m 1 ir^tfoSLSRIlffil) SftBEfflJa-tflCiiS 
T3£*^ ^PXPtlSP^ftKi ^V^TPt-^C (01 
IC^tt^Rs2 ) Rp2i'ffi^) ££$f3 0 -S, &^1E 

S^JC (01 fcfcltSRsi, RpllrfflS) 
U Bttfiftffla— ifirElT^. Pi^XC^C 
UjtltfBEOKTSS. 

[ 0 0 2 3] ^co^ptr, ¥£P£BE«;:&ftofc:S: 
(SLS) Icro^tlCcfcD, BE?lI0i*i££ii¥*K:£ 50 



W5-3 2 7 6 9 3 

ffiSft^ia^BE^ft^S-rs^t 

[ 0 0 2 4] 0 3 (B) icfe^T, 

(BES»^--1f) ©St^tSF' (HlKSttoffi^ 
£&!s]&3 2iCffl^) Rtf£»tt («BE^i— !f) ©It 
^{b^F, F" (BIltr*tf5fi^aSSI!51B3 3ICffi 
*S) Til, KfcM^KL, Ml£0CPU (** 

Msg© n*f-rsftfiS:/hs<Tsfc&ic Ka^F 

EAL, DES^©Mit^^-5 0 fcfc, ^EH 
Ki T&*inA#/HEEIlKp Rtf#ft8tfflBEiiKs 

[0 0 2 5] £^ »»X»«li»»«IC*ftT, 
5ft«l*iTK£Lfc&ftR (P) £i£(iLTREB*«: 
fr^c gffibfcR (P) S5PA« 

ffl£#ft«ffl<BBE»T&3Kp , Ks (Ki ) SfflU 
TBS-^gFRtfF" ICTfi^fc&SRp , Rs (0 3 

(A) iC^ttoC* , Hlllfet-tSRpl, Rsl2 ffiS) 

EE«Kp , Ks" (Ki ) £SffibTj&S£fT5. 

[0 0 2 6] rLT, #fttttel^£»«lcKie^fcJg 
mPp . Rs SBEJSStLTgfil-S. 

tcBEiE#^^&L'T, Sfl^ffl&T^feCDT&^o & 
fc, 0 2Tli^»IB*JlKs«tO8EftKelS±fi!ELT 
43 0, 0 3 (B) T?teinA#JBBE«Kp J:l3»EftK 

[0027] lit, mm^M^iz£f&z no B^fb^ 

*S8E«ic*«^1-n« (»»«©8E«KelXDl»ft 
3£««©IBE»Ke2) , S«E»OE3l 
S*c±7&0»*»C^ST#, ^fcP¥«lcS&ofc»E 
«S:^*T?€SCt^68EA^->SPf«lcXA6 

[0 0 2 8]. 

E^«T\ »ft*BEtiPA*BE£lRiHFlz*a*rs^ 

o»»«$ffl»olflA*-c*fflt-se:t^Tt, 
o-as&stES^ttsrtic.to, ^»*ft*tasn 

[Hi] *3s?a©— sas«o^o^^0T-*5 B 

[02] 0 1©»ft«IC*^oM^S»ftlHlB©-*ft 

im 3 ]' *»W©fl!lOS6JBW©^D y i7.0T*§. 
[04 ]■ ffi*OBE*S€:ffi§at"o&8&©l§IT*So 
[f5#©IH§8] 
3 0 ^fbffi 



-812- 



(5) 



B¥ 5-327693 



3 1 a&5E£@» 

3 2, 3 3 ffi-t2»BB 

3 4 JtftlHlK 

4 1 mi 0Pg^fb0& 



4 2 £12 CO^fblHlSS 
4 3 m 3 ©fiP^ftlalK 
4 4 *aft@B 



[HI] 
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(6) 



2 7 6 9 3 



[B2] 



□l 



00 
CO 



0 



4t 
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(7) 



2 7 6 9 3 



[03] 



(A) 



r 



u£fcffcC=F(P.Ki) 



Cy! C 




( n$m& ) 



C=F(P,K0 



(B) 



Kp 



Ks 



Kei 



R(P? 



Rp,Rs(C T ) 



par 



I 



F' 



RrRs* 



Kp.Ks 
(Ki) 



Kp.Ks 
(Ki) 




OK 
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(8) 
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[884] 



Ks 



51a 



(A) 



RANDC^^ 5 *^^ Ks 
- RAND 



52 ^5RES 



yes/no 



Ks 



Ke 



Store Ke 



55a 



-57 



(B) 

RAND 



-RAND 



Ks 



55b_ 



56. 



ii 



Ke 



Store Ke 



(72)§gSB* H± 



■ (72) fS93« TEH 36PB 

3HCS=FftEKf*i¥Pr-T§l«6* B 

(72)SIJW 1 

"«]Kffi=FfClIlErt¥BI-TilS6# B 
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